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Introduction 


Rich  Caralli 

Technical  Manager  -  CERT  Resilient  Enterprise 
Management  Team 

25+  years  in  IT  Audit  and  IT  Management  in 
financial  services,  manufacturing,  and  energy 

8  years  @  SEI  concentrating  in  information 
security  risk  management 

BS-Accounting;  MBA 

Frequent  lecturer  in  Carnegie  Mellon  Heinz 
School  and  CIO  Institute 
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Agenda 

What  is  CERT-RMM? 
History 

Model  Building  Blocks 
Model  Architecture 
The  Capability  Dimension 
Determining  Capability 
CERT-RMM  Credentialing 
CERT-RMM  and  PS-Prep 
CERT-RMM  Product  Suite 
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What  is  CERT®-RMM? 


The  CERT®  Resilience 
Management  Model  (CERT- 
RMM)  is  a  capability  model 
for  managing  and  improving 
operational  resilience. 


Software  Engineering  Institute  CarnegieMelkm 


Positions  operational  resilience 
in  a  process  improvement  view 
Includes  26  “process  areas” 

Focuses  on  the  operations  phase 
of  the  lifecycle 
Defines  “maturity”  through 
“capability  levels”  consistent  with 
CMMI 

Uses  CMMI  architecture  for  ease 
of  adoption 

Includes  a  “continuous 
representation”  for  agile  adoption 
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Distinguishing  features  of  CERT^RMM 


CERT-RMM  brings  several 
innovative  and 
advantageous  concepts  to 
the  management  of 
operational  resilience. 


•  The  convergence  advantage: 

merging  the  disciplines  of 
security,  BC/DR,  and  IT  ops  into 
a  single  model 

•  The  process  advantage: 

elevating  these  disciplines  to  a 
process  view,  useful  as  an 
integration  and  measurement 
framework 

•  The  maturity  advantage: 

provides  a  foundation  for  practical 
institutionalization  of  practices — 
critical  for  retaining  these 
practices  under  times  of  stress 


(CEOT 
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History  of  CERT-RMM 

How  we  got  to  CERT-RMM  version  1.0 
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CERT-RMM  background 


CERT-RMM  began  as 
research  into  the 
application  of  process 
improvement  and  maturity 
model  approaches  to 
security  management. 


Literary  review  and  affinity  analysis  of 
over  800  standard  practices  security, 
BC/DR,  and  IT  ops  communities 

Examination  of  body  of  knowledge  of 
high-maturity  organizations 
Codification  of  model  using  trusted 
CMMI  architecture  and  concepts 
Benchmarking  and  piloting  in  the 
banking/finance  community,  defense 
contractors,  and  US  government 
federal  civilian  agencies 


Software  Engineering  Institute  CarnegieMellrm 
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CERT-RMM  timeline 


2003  2004 


2005 


2007 


2010 


Best-in-Class  Operations  Roundtable 


Technical  Report:  “Managing  for  Enterprise  Security”  released 


Began  collaboration  with  FSTC 


Commenced  development  of  PRISM:  Process  Improvement  for  Info  Security  Management 


Technical  Report:  “Sustaining  Operational  Resiliency:  A  Process 
Improvement  Approach  to  Security  Management”  released 


CERT  Resiliency  Engineering  Framework  v0.95  released 


CERT  Resiliency  Engineering  Framework  v0.95  benchmarking  effort  commenced 


Intro  to  CERT  Resiliency  Engineering  Framework  course  piloted 


CERT  Resilience  Management  Model  v0.95  released 


CERT  Resilience  Management  Model  vl.O  released 


|  _  Software  Engineering  Institute  CarnegieMelkm 


CERT  -RMM  vl.O  Addison-Wesley  book  released 
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Why  CERT-RMM? 

The  rationale  for  the  model 
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Imperatives  for  building  CERT-RMM 


Cultural  shifts 


Increasingly  complex  operational 
environments  where  traditional 
approaches  are  failing 

Siloed  nature  of  operational  risk 
activities;  a  lack  of  convergence 

Lack  of  common  language  or  taxonomy 

Overreliance  on  technical  approaches 

Lack  of  means  to  measure  managerial 
competency 

Inability  to  confidently  predict 
outcomes,  behaviors,  and 
performance  under  times  of  stress 


(CEOT 
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Organizational  challenges 


Cope  with  operational  risk  and 
minimize  impact 

Move  all  operational  risk 
management  activities  in  the 
same  direction 

Optimize  cost/effectiveness 

Meet  mission  no-matter-what 

How  do  you  measure 
performance  before  you’re 
stressed  or  fail?? 


(CEOT 
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CERT-RMM  Building  Blocks 

Foundational  concepts  of  the  model 


Software  Engineering  Institute  CarnegieMelkm 
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Operational  resilience 


Resilience:  The  physical  property 
of  a  material  when  it  can  return  to 
its  original  shape  or  position  after 
deformation  that  does  not  exceed 

its  elastic  limit  [wordnet.princeton.edu] 


Operational  resilience:  The 
emergent  property  of  an 
organization  exhibited  when  it 
continues  to  carry  out  its 
mission  after  disruption  that 
does  not  push  it  beyond  its 
operational  limit 

[CERT-RMM] 
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Operational  resilience  &  operational  risk 


Security  and  business  continuity  are  not  end-states;  they  are 
continuous  processes 


Effective  operational  risk  management  requires  harmonization: 
convergence  of  these  activities  working  toward  the  same  goals 


Operational  resilience  emerges  from  effective  operational  risk 
management 


A  fatal  exception 
000059F8.  The  curr 

*■  Press  any  key  to 
*■  Press  CTRL+ALT+I 
lose  any  unsaved 


Actions  of 
people 


Systems  & 
technology 
failures 


Failed  internal  External  events 

processes 


Software  Engineering  Institute  CarnegieMellnii 


©2010  Carnegie  Mellon  University 


14 


Layers  of  resilience  activities 


Resilience  planning,  program 
execution,  and  coordination 
across  organizational  units 


Operational 

Resilience 

Management 

System 


a 


a 


Security  and  Control  J  4 
Activities  I  / 

Developing  and  implementing  i 
security  architectures,  managing  I 
security  operations  I 

I _ I 


Tactical  execution  of 
resilience  activities 

|  Software  Engineering  Institute  CarnegieMelkm 


i 
i 
i 
i 
i 

_ i _ 

Continuity  and  Recovery 
Activities 

Developing  and  executing 
continuity  plans,  recovery  plans, 
and  restoration  plans 

I _ 


I 


Operations  Activities 


I  Developing,  implementing,  and 
I  managing  processes  to  deliver  IT 
I  services  and  manage  IT 
i  infrastructures 
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CERT-RMM  principle  of  convergence 


c 


Organization  Mission 


CERT-RMM  Focus 


Security 

Management 

Business 

Continuity 

IT  Operations 
Management 

I 

X 


Operational  Risk  Management 


Operational  resilience  is  directly  affected  by  convergence 

Organizational  mission  is  directly  affected  by  operational 
resilience 


(CEOT 
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CERT-RMM  foundational  elements 


Services 

_ J 


Business 

Processes 

L _ A 


The  limited  number  of  activities  that  the 
organization  carries  out  in  performance  of 
a  duty  or  to  produce  a  product 


The  detailed  activities  that  the 
organization  (and  its  suppliers)  perform  to 
ensure  that  services  meet  their  mission 


Assets 


V. 


Something  of  value  to  the  organization 
required  by  business  processes  and 
services  to  meet  their  missions 


(CEOT 
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Services  in  CERT-RMM 

The  organizing  concept  in  CERT-RMM  is  a  service 

The  resilience  of  high-value  services  in  the  organization 
ensures  the  resilience  of  the  organization’s  mission 

Service  resilience  is  a  factor  of  asset  resilience — if  an  asset 
is  disrupted  or  fails,  the  service  may  suffer 

Service  resilience  is  the  object  of  CERT-RMM  processes 


(CEOT 
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Assets 


Something  of  value  to  the  organization 

“Charged  into  production”  of  business  processes  and  services 

Four  types  of  assets  are  the  focus  of  operational  resilience 
management  as  defined  in  CERT-RMM. 


' . _ _ _ _ _ ' . . 

people  information  technology  facilities 
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Assets  charged  into  production 


Asset  value  relates  to  the  importance  of  the  asset  in  meeting 

the  business  process  and  service  mission. 


(CEOT 


Software  Engineering  Institute  CarnegieMellnii 


©2010  Carnegie  Mellon  University 


20 


Operational  resilience  starts  at  the  asset  level 


To  ensure  operational 
resilience  at  the  service  level 
related  assets  must  be 

•  Protected  from  threats  and 
risks  that  could  disable  them 

•  Made  sustainable  under 
adverse  conditions 

The  optimal  “mix”  of  these 
strategies  depends  on  the 
value  of  the  asset  and  the 
cost  of  deploying  and 
maintaining  the  strategy. 


(CEOT 
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Service 


Organizational  context  for  resilience  activities 


Organization 

Mission 


± 

Service 

Mission 


CERT- 

RMM 

focuses  here 


A 
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CERT-RMM  Architecture 

Foundational  structures  on  which  the  model  is 
built 


CarnegieMellon 
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CERT-RMM  in  the  life-cycle 


Operational  resilience  management  focuses  on  the  deploy, 
operate,  and  decommission  phases,  but  reaches  back  to 
development  phase  of  lifecycle  to  ensure  consideration  of 
security  and  continuity  issues  prior  to  placing  assets  in 
production. 


Deploy 


Operate 


Decommission 


Dn 


CERT-RMM  focuses  on  assets  in  the  operations 
phase  of  the  life-cycle 
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For  comparison:  CERT-RMM  &  CMMI 


(CEOT 
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CERT-RMM  architectural  elements 


CERT-RMM  uses  proven 
architectural  elements  of 
CM  Ml  and  applies  them  in 
an  operational  context. 


CEOT  I 


Software  Engineering  Institute  Carnegie  Mellon 


•  26  process  areas 

•  Arranged  in  a  continuous 
representation 

•  Goals,  practices,  sub-practices, 
and  work  products  that 
specifically  define  each  process 
area 

•  Goals,  practices,  and  sub¬ 
practices  that  generically  define 
increasing  levels  of  capability 

•  Implementation  and  adoption 
examples 

•  An  appraisal  methodology  to 
determine  capability  levels 
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CERT-RMM  at  a  glance 


Engineering 


ADM 

Asset  Definition  and  Management 

CTRL 

Controls  Management 

RRD 

Resilience  Requirements  Development 

RRM 

Resilience  Requirements  Management 

RTSE 

Resilient  Technical  Solution  Engineering 

SC 

Service  Continuity 

Enterprise  Management 

COMM 

Communications 

COMP 

Compliance 

EF 

Enterprise  Focus 

FRM 

Financial  Resource  Management 

HRM 

Human  Resource  Management 

OTA 

Organizational  Training  &  Awareness 

RISK 

Risk  Management 

26  Process 


Operations  Management 


AM 

Access  Management 

EC 

Environmental  Control 

EXD 

External  Dependencies 

ID 

Identity  Management 

IMC 

Incident  Management  &  Control 

KIM 

Knowledge  &  Information  Management 

PM 

People  Management 

TM 

Technology  Management 

VAR 

Vulnerability  Analysis  &  Resolution 

Process  Management 

MA 

Measurement  and  Analysis 

MON 

Monitoring 

OPD 

Organizational  Process  Definition 

OPF 

Organizational  Process  Focus 

in  4  categories 
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Enterprise  management 


Seven  process  areas  that 
support  the  resilience 
management  process 


Governance,  Risk,  &  Compliance 


COMP 


Ills  Hlb  lllb 


RISK 


Supporting  Resilience 


HRM  1 

|l| 

1 

FRM  1 

| 

lib 
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Engineering 


Six  process  areas  for 
establishing  resilience 
for  organizational 
assets,  business 
processes,  and 
services 


Asset  Management 


Requirements  Management 


RRD 


43  E3 


RRM 


Establishing  and  Managing  Resilience 


CTRL 


RTSE 


43  A3  Au 
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Operations  management 


Nine  process  areas  for 
managing  the  operational 
aspects  of  resilience 


Asset  Resilience  Management 


EC 

KIM 

PM 

TM  1 

#% 

Threat,  Incident,  &  Access  Management 


AM 

ID 

IMC 

VAR  1 

Supplier  Management 
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Process  management  process  areas 


Four  process  areas  for  defining, 
planning,  deploying, 
implementing,  monitoring, 
controlling,  appraising, 
measuring,  and  improving 
operational  resilience 
management  processes 


Data  Collection  &  Logging 


MON 


o 


Process  Management 


MA 


OPD 


o  o  o 


OPF 


Software  Engineering  Institute  CarnegieMellnii 


©2010  Carnegie  Mellon  University 


31 


CERT-RMM  process  area  structure 


a 
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CERT-RMM  links  to  codes  of  practice 


j  Codes  of  Practice: 

BS25999-1 :2006 
|  CMMIvl.2 

CMMI  for  Services 
CobiT  4.1 

!  COSO  ERM 

DRII  GAP 


FFIEC  Handbooks  (Security, 
BCP) 

ISO  20000-1 :2005(E) 

ISO  20000-2 :2005(E) 

ISO  24762:2008(E) 

ISO  27001 :2005 
NFPA1600  (2007) 

PCI  DSS  vl  .1 


Val-IT 
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The  Capability  Dimension  of 
CERT-RMM 

Measuring  process  institutionalization  to 
determine  capability  under  stress 


(ceiw 
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The  promise  of  process  institutionalization 


The  “capability” 
dimension  of  CERT- 
RMM  sets  it  apart  from 
other  models  in  the 
operational  resilience 
space 


“Capability”  determines  the 
degree  to  which 

•  A  process  has  been  ingrained 
in  the  way  that  work  is 
defined,  executed,  and 
managed 

•  There  is  commitment  and 
consistency  to  performing  the 
process 


Measuring  capability  helps  you  determine  the  degree  to  which 
you  are  able  to  control  the  output  of  the  process — in  this  case, 
the  degree  to  which  you  can  predict  how  well  you’ll  perform 
under  times  of  stress 


Software  Engineering  Institute  CarnegieMellrm 
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Process  institutionalization 


Higher  degrees  of  process 
institutionalization  should 
translate  to  more  stable 
processes  that 

•  produce  consistent 
results  over  time 

•  are  retained  during 
times  of  stress 


(CEOT 
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Value  of  knowing  your  “capability”  level 


The  degree  of  process  institutionalization  can  help  to  answer 
several  important  questions  in  managing  operational 
resilience: 

•  How  well  are  we  performing  today? 

•  Can  we  repeat  our  successes? 

•  Do  we  consistently  produce  expected  results? 

•  Can  we  adapt  seamlessly  to  changing  risk  environments? 

•  Are  our  processes  stable  enough  to  depend  on  them  under  times  of 
stress? 

•  Can  we  predict  how  we  will  perform  under  times  of  stress? 


You  need  to  know  not  only  that  you’re  doing  the  right 
things  but  that  you  are  doing  them  in  a  sustainable  wav. 


(CEOT 
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Process  institutionalization  in  CERT-RMM 


Capability  levels  are  used  in  CERT-RMM  to  represent  process  institutionalization 

r - 1 

i  Processes  are  i 

acculturated,  ] 

i  defined i 

[  measured [ 

i  and  i 

governed  \ 


i - 1 

i  Practices  are  ■ 
performed  \ 


i - 1 

i  Practices  are  ■ 
incomplete  \ 


•  Incomplete 
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Level  0  -  Incomplete 


i —  Level  0 


•  Incomplete 


——  Software  Engineering  Institute  CarnegieMelkm 


Indicates  that  one  or  more  of  the 
specific  goals  of  the  process  area 
is  not  being  achieved 

Represents  an  incomplete 
process,  therefore  cannot  be 
institutionalized 
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Level  1  -  Performed 


•  Incomplete 


——  Software  Engineering  Institute  CarnegieMelkm 


Represents  a  performed  process 


Satisfies  the  specific  goals  of  the 
process  area 

Supports  and  enables  the  work 
needed  to  produce  the  expected 
process  work  products 

Provides  improvement,  but  can  be 
lost  over  time  without 
institutionalization 

Improvements  can  only  be 
maintained  and  sustained  by 
moving  to  higher  capability  levels 
(i.e.,  levels  2  and  beyond). 


©2010  Carnegie  Mellon  University 


40 


Level  2  -  Managed 


•  Incomplete 


——  Software  Engineering  Institute  CarnegieMelkm 


Represents  a  performed  process  that 
has  the  basic  infrastructure  in  place  to 
support  the  process 

The  process  is: 

•  Governed 

•  Planned  and  executed  in 
accordance  with  policy 

•  Employs  skilled  people  who  have 
adequate  resources 

•  Involves  relevant  stakeholders 

•  Is  monitored,  controlled,  and 
reviewed 

•  Is  evaluated  for  adherence  to  its 
process  description 

Process  discipline  ensures  that 
existing  practices  are  retained  during 
times  of  stress. 
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Level  3  -  Defined 


•  Incomplete 


——  Software  Engineering  Institute  CarnegieMelkm 


Represents  a  managed  process  that  is 
tailored  from  the  organization’s  set  of 
standard  processes 

Contributes  work  products,  measures,  and 
other  process  improvement  information  to 
the  organizational  process  assets 

Scope  difference  from  level  2 — provides 
consistency  of  process  assets  across 
organizational  units 

More  rigorous  description  of  processes 

Process  management  is  proactive,  not 
reactive 

Highly  important  in  RMM — because  of  the 
“enterprise”  and  convergence  orientation 
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Capability  levels  are  cumulative 


Achieving  Level  3  means 
achieving  (and  sustaining) 
Level  1  (specific  goals)  plus 
Level  2  and  Level  3  generic 
goals,  and  so  on. . . 


—  Level  3 

•  Defined 


Level  2 


(CEOT 
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Example:  Asset  Definition  &  Management 


Specific  Goals 

Specific  Practices 

ADM:SG1  Establish  Organizational 
Assets 

ADM:SG1.SP1  Inventory  Assets 

ADM:SG1.SP2  Establish  a  Common 
Understanding 

ADM:SG1.SP3  Establish  Ownership 
and  Custodianship 

ADM:SG2  Establish  Relationship 
Between  Assets  and  Services 

ADM:SG2.SP1  Associate  Assets  with 
Services 

ADM:SG2.SP2  Analyze  Asset-Service 
Dependencies 

ADM:SG3  Manage  Assets 

ADM:SG3.SP1  Identify  Change 

Criteria 

ADM:SG3.SP2  Maintain  Changes  to 
Assets  and  Inventory 

(CEOT 
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Institutionalizing  Asset  Definition  &  Management 


Specific  Goals 

Specific 

Practices 

ADM:SG1  Establish 
Organizational 

Assets 

ADM:SG1.SP1 
Inventory  Assets 

ADM:SG1.SP2 
Establish  a  Common 
Understanding 

ADM:SG1.SP3 

Fctahlich  Ownprchin 

. r 

and  Custodianship 

ADM:SG2  Establish 
Relationship 

Between  Assets  and 
Services 

ADM:SG2.SP1 
Associate  Assets 
with  Services 

ADM:SG2.SP2 

Analyze  Asset- 
Service 

Dependencies 

ADM:SG3  Manage 
Assets 

ADM:SG3.SP1 

Identify  Change 
Criteria 

ADM:SG3.SP2 

Maintain  Changes  to 
Assets  and  Inventory 

A  managed  process  is: 

•  Governed 

•  Executed  according  to 
policy 

Employs  skilled  people 
Involves  relevant 
stakeholders 

Monitored,  controlled,  and 
reviewed 

Evaluated  for  adherence  to 
the  organization’s  process 
description 

Regularly  reviewed  with 
senior  management 


Iceot 
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Practice  example:  ADM.SG1.SP1 -Inventory  Assets 


To  institutionalize  the  performance  of  the  “Inventory  Assets”  practice,  you  must  commit  to 
and  perform  these  supporting  practices: 


Institutionalizing  Factor 

Institutionalizing  Practice 

Governed 

There  is  a  policy  requiring  periodic  asset  inventory  activities;  the  activity 
has  oversight  and  corrective  actions  are  taken  when  necessary 

Employs  skilled  people 

Staff  involved  in  the  practice  have  the  appropriate  skill  levels  and  training 

Involves  stakeholders 

Asset  owners  and  custodians  are  involved;  all  involved  in  protecting  and 
sustaining  the  asset  are  involved 

Monitored  and  controlled 

The  process  is  measured  to  determine  effectiveness.  Examples:  %  of 
assets  inventoried;  #  of  changes  to  inventory  in  a  given  period 

Evaluate  adherence 

The  process  as  performed  is  verified  to  be  aligned  with  the  process 
definition 

Review  with  senior 
management 

Keep  management  informed  on  the  results  of  the  process  and  identify 
and  resolve  issues 

Software  Engineering  Institute  CarnegieMellon 
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Determining  Capability 
using  CERT-RMM 

Determining  an  organization’s  capability  for 
managing  operational  resilience 
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CERT-RMM  capability  appraisals 


An  appraisal  is  used  to  evaluate  (or  diagnose)  the  organization 
using  CERT-RMM  as  the  basis. 

The  SCAMPISM  appraisal  method  from  SEI  forms  the  foundation  of 
the  CERT-RMM  Capability  Appraisal  Method  (RMM  CAM) 

There  are  three  classes  of  CERT-RMM  appraisals: 
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CERT-RMM  capability  survey 

A  self-directed  assessment  instrument  that  provides  a  quick 
organizational  “health  check” 

Low  investment,  but  potentially  high  impact 

Can  be  used  to  catalyze  a  more  formal  process  improvement 
effort 

Currently  in  development;  to  be  released  by  year-end  2010 

Not  considered  to  be  one  of  the  “class”  appraisals  and  not 
based  on  the  SCAMPI  method 
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Value  of  a  CERT-RMM  appraisal 


Process  improvement  model  can  allow  for  third-party 
appraisals 

Creation  of  a  set  of  professionals  skilled  in  rating  process 
performance 

Elimination  of  subjectivity  in  rating  process  performance  and 
institutionalization 

Ability  to  provide  statistics  on  organization  and  industry 
capability  levels 
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Appraisal  scope 


The  depth  of  the  CERT-RMM  appraisal  can  vary  depending 
on  the  organization’s  objectives,  (i.e.,  It  can  simply  help  the 
organization  to  determine  where  it  is  or  it  can  lead  to  a  formal 
capability  level  rating.) 

Can  include  one  process  area  or  a  group  of  process  areas 

•  Can  be  broad: 

—  One  process  area  over  many  operational  units 

•  Or  deep: 

—  Many  process  areas  in  one  operational  unit 
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Appraisal  scope 


Key  CMMI 
differences: 

•  No  “project”  in 
CERT-RMM 

•  Instantiations 
will  vary  at  the 
practice  level 


Model  Scope 


Key  CMMI 
difference: 

•  Fine-grained 
CERT-RMM 
scoping 
options 
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Appraisal  scope:  capability  profile 


Capability  Profile 
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Appraisal  results 


Capability  Profile 


ADM 

Asset  Definition  &  Mgmt 

COMP 

Compliance 

IMC 

Incident  Mgmt  &  Control 

KIM 

Knowledge  &  Info  Mgmt 

TM 

Technology  Mgmt 


o 
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Appraisal  results  may 
indicate  gaps 


Gaps  should  be 
analyzed  and  prioritized 
prior  to  implementing 
improvements 
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CERT-RMM  Credentialing 

Certifying  CERT-RMM  professionals 
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CERT-RMM  professional  roles 


CERT-RMM  Appraiser 


CERT-RMM  Navigator 

CERT-RMM  Coach 

CERT-RMM  Appraisal 
Team  Member 


These  roles  are  under 
development— priority  will  be 
based  on  demand 
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CERT-RMM  Appraiser 


SEI-Certified  CERT-RMM  Appraisers  can 
lead  all  classes  (A,  B,  and  C)  of  appraisals 
including  the  Capability  Survey 

The  CERT-RMM  Appraiser  is  responsible  to 
plan  and  manage  the  performance  of  the 
entire  appraisal  effort,  delegate  apprais 
tasks  to  team  members,  and  ensure 
adherence  to  CAM  appraisal  requirem 

CERT-RMM  Appraisers  are  sponso 
Partners  who  are  licensed  to  perform 
activities  on  behalf  of  the  SEI 


CEOT  I 
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CERT-RMM  Coach 


Employees  or  consultants  who  are 
assigned  to  apply,  analyze,  champion, 
manage,  contribute,  or  support  CERT- 
RMM  based  improvement  efforts, 
appraisal  teams,  and/or  organizational 
initiatives 

Provide  a  workforce  element  that  will 
promote  a  smooth  adoption  of  CERT- 
RMM  concepts  to  create  a  sustainable 
improvement  effort 

Can  deliver  CERT-RMM  class  B  or  C 
appraisals  and  the  Capability  Survey 


(CEOT 


Software  Engineering  Institute  CarnegieMellnii 


©2010  Carnegie  Mellon  University 


58 


CERT-RMM  Navigator 


Provide  guidance  and 
management  of  organizations 
who  are  applying  the  CERT- 
RMM  Capability  Survey 

Coordinator  between  the 
organization  and  the  SEI  on 
completion  of  the  Survey  and 
reporting  results  from  the  SEI  to 
the  organization 

Can  only  deliver  the  CERT-RMM 
Capability  Survey;  no  Class 
appraisals 
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CERT-RMM  credentialing  summary 


Role 

Authorizations 

Path 

CERT-RMM 

Appraiser 

--Class  A,  B,  and  C 
--Capability  Survey 

Reserved  for  existing  CM  Ml  Lead 

Appraisers  only  at  this  time; 

--Intro  to  CERT-RMM  course 
-CERT-RMM  CAM  BootCamp 

2011  Program  in  development  for  "new" 
appraisers 

CERT-RMM  Coach 

--Class  B  and  C 
--Capability  Survey 

—Intro  to  CERT-RMM  course 
—CERT-RMM  Coach  Training 

CERT-RMM 

Navigator 

--Capability  Survey 

—Intro  to  CERT-RMM  course 
—CERT-RMM  Navigator  Training 

CERT-RMM 

Appraisal  Team 
Member 

Performs  as 
member  of 
appraisal  team 

—Intro  to  CERT-RMM  course 
—CERT-RMM  Appraisal  Team  Training 

( 


\ 


s^. 
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CERT-RMM  and  PS-Prep 

Comparing  and  contrasting  CERT-RMM  in  the 
context  of  FEMA’s  PS- Prep  program 
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What  is  PS-Prep? 


FEMA’s  Voluntary  Private  Sector  Preparedness  Accreditation 
and  Certification  Program 

Mandated  by  Title  IX  of  the  9/1 1  Commission  Act  of  2007 


Participation  is  completely  voluntary 


DHS  approved  three  standards  in  June  2010: 

^  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  ^ 

•  National  Fire  Protection  Association  1600 

i 

•  British  Standard  25999  -  Business  Continuity  Management 

•  ASIS  International  SPC.1-20(^*-  Organizational  Resilience: 
Security  Preparedness  and  Continuityti/lqnagement  System 


ANSI-ASQ  National  Accreditation  Board  will  oversee  the 

certification  process  I  Standards  incorporated 

into  and  cross-walked  in 
L  CERT-RMM 


(CEOT 
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“Prepared”  vs.  “Capable” 


PS-Prep:  promote  private  sector 
preparedness  “including  disaster 
management,  emergency 
management,  and  business  continuity 
programs.” 


Prepared:  can  you 
respond? 


CERT-RMM:  promote  private  sector 
capability — preparedness  is  a 
function  of: 

•  Protection  strategies  (preventative) 

•  Sustainability  strategies  (responsive) 

•  Process  institutionalization  or 
“maturity”  to  determine  the  degree  to 
which  these  strategies  will  “stick” 
when  the  organization  is  stressed 


Capable:  can  you 
control  your  destiny  by 
heading  off  problems 
and  responding  when 
stressed? 


(CEOT 
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CERT-RMM  vs.  ASIS  standard  -2 

A  preliminary  comparison: 


Area  of 
Comparison 

CERT-RMM 

ASIS  SPC.1-2009 

Scope 

Security,  continuity,  IT  operations;  takes 
management  system  view  but  also 
addresses  key  operational  activities  such  as 
vulnerability  management,  access 
management,  and  identity  management; 
also  addresses  resilience  in  the  development 
and  acquisition  phases 

Focuses  on  the  organizational  resilience 
management  system  and  key  management 
processes 

Process  approach 

Uses  CM  Mi's  process  structure;  uses 
"process"  as  the  dimension  for 
measurement  of  capability;  processes  are 
arranged  into  process  areas  to  allow  for 
scalable  and  agile  adoption 

Defines  process  approach  broadly  in  terms 
of  a  "plan-do-check-act  model" 

Maturity 

considerations 

Uses  proven  CMMI  capability  dimension  for 
maturity  expression;  some  process  areas 
express  maturity  dimensions  as  well 

Includes  "maturity"  elements,  but  does  not 
appear  to  have  a  maturity  representation 
analogous  to  CMMI  or  CERT-RMM 

Appraisal 

Appraisal  against  the  model  uses  proven 
SCAMPI  method  for  CMMI;  significant 
installed  base  of  qualified  and  experienced 
appraisers;  official  "capability  level" 

Includes  an  assessment  process  specific  to 
determining  compliance  with  the  standards; 
no  maturity  rating 

(CEOT 
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CERT-RMM  scorecard 


Advantages: 

•  One  model  with  significant 
coverage  of  standards 

•  Ability  to  incorporate  any 
useful  standard/practice 

•  Capability  dimension  provides 

—  proven  maturity  path 

—  ability  to  determine  degree  to 
which  practices  are  retained 
under  stress 

•  Focuses  on  process 
improvement  not  just 
certification;  has  a  built-in  path 
to  improvement 

•  Allows  for  process-based 
metrics  and  measurement 


Software  Engineering  Institute  CarnegieMellrm 


Advantages: 

•  Creates  internal  process 
improvement  experts  to 
sustain  competency 

•  Appraisal  and  certification 
model  established  and 
proven;  issued  ratings 
“sanctioned”  by  the 
SEI/CERT 

Disadvantage: 

•  Limited  coverage  of 
emergency/crisis 
management  (for  now) 
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CERT-RMM  Product  Suite 

Model  artifacts  available  to  begin  an  adoption 
process 
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CERT-RMM  product  suite 


Product 

Status 

CERT-RMM  Model 

Version  1.0  released;  Technical  Report  released;  individual 
process  areas  released  @  www.cert.ora/resilience 

CERT-RMM  Capability 
Appraisal  Methodology 

Version  1 .0  to  be  released  in  method  description  document, 
August  2010 

CERT-RMM  Crosswalk 

Version  0.95  published;  Version  1.0  (expanded)  to  be 
published  late  Summer 

Introductory  courses 

Introduction  to  CERT-RMM  (4  days;  offered  4  times/year  in 
Pittsburgh  and  DC) 

Executive  workshops  and  tutorials  available  on  demand 

Advanced  courses 

CERT-RMM  Intermediate  Course  (in  development  for  2011) 
CERT-RMM  CAM  BootCamp  (pilot  scheduled  for  November 
2010) 

CERT-RMM  Role  training  (Coach,  Navigator) 

CERT-RMM  instructor  training 
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CERT-RMM  book  publication 


Scheduled  for  publication  in 
November  2010  by  Addison- 
Wesley 

Includes  full  model  (vl  .0)  plus 
adoption  guidance  and 
perspectives  of  real-world  use 
of  the  model 


Vn<-OH 


CERT  Resilience 
Management  Model 


m 


Improving 

Operational 

Resilience 

Processes 


Richard  A.  Caralli 
Julia  H.  Alien 
David  W.  White 
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Resilience  measurement  &  analysis 


Area  of  research  growing  out  of  CERT- 
RMM  development 

Focuses  on  the  development  of  adequate 
measures  to  determine  transformation  of 
operational  resilience  management 
system 

Focuses  on  performance  measurement — 
how  well  are  we  doing? 

Includes  both  qualitative  and  quantitative 
measurements 


Measurement  users  group  (RMM  MUG) 
forming — Fall  2010  opportunity  to  join  a 
measurement  cohort  and  share 


(CEOT 
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Questions? 
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CERT-RMM  contacts 


Rich  Caralli 

RMM  Architect  and  Lead  Developer 
rcaralli@cert.org 


Lisa  Young 

RMM  Appraisal  Lead  &  Developer 
lry@cert.org 


Richard  Lynch 

Public  Relations  —  All  Media  Inquiries 

public-relations@sei.cmu.edu 


Joe  McLeod 

For  info  on  working  with  us 

jmcleod@sei.cmu.edu 


Software  Engineering  Institute  CarnegieMelkm 


David  White 

RMM  Transition  Lead  &  Developer 
dwhite@cert.org 


Julia  Allen 

RMM  Developer/Measurement  Team  Lead 
jha@sei.cmu.edu 


SEI  Customer  Relations 

customer-relations@sei.cmu.edu 

412-268-5800 
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NO  WARRANTY 


THIS  MATERIAL  OF  CARNEGIE  MELLON  UNIVERSITY  AND  ITS  SOFTWARE  ENGINEERING 
INSTITUTE  IS  FURNISHED  ON  AN  “AS-IS"  BASIS.  CARNEGIE  MELLON  UNIVERSITY  MAKES 
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the  trademark  holder. 
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the  copyright  license  under  the  clause  at  252.227-7013. 
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Become  an  SEI  Member! 

^  www.sei.cmu.edu/membership 
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rt  >  Podcasts  A.CEftt&.Podcai 


CERT's  Podcast  Series:  Seci 


CERT 


CERT’s  Podcast  Series 
Secunty  for  Business  Leaders 


CERT 

Category.  Toch  V 
Language:  EngliL’ 

Free  SUBSCRIBE 


PODCAST  DESCRIPTION 


a  Name 


1  Convergence:  Integrating  Physica  . 

2  IT  Infrastructure  Tios  for  Navigat 


CERT's  Podcast  Series: 
Security  for  Business  Leaders 


www.cert.org/podcast/ 


R  O  O  CERT’s  Podcast  Series 

Ci?....'  http://www.cert.org/podcast/undockplayer.html  fa 


Mitigating  Insider  Threat:  New  and  Improved  Practices. 

08.18.2009  -  Featuring  Dawn  Cappolli 


Analyzing  Internet  Traffic  for  Batter  Cyber  Situational  Awareness: 

0728  2009  •  Featuring  Derek  Gabbard 

Rethinking  Risk  Manage  merit: 

07.07.2009  -  Featuring  Chris  Alberts 

The  Upside  and  Downside  of  Security  in  the  Cloud: 

06. 1 6.2009  -  Featuring  Tim  Mather 

More  Targeted,  Sophisticated  Attacks:  Where  to  Pay  Attention: 
05.26.2009  -  Featuring  Marty  Undner 

I  Is  There  Value  In  Identifying  Software  Security  "Never  Events?": 
05.05.2009  •  Featuring  Robert  Charette 

J  Cyber  Security,  Safety,  end  Ethics  for  the  Net  Generation: 
f  04.14.2009  -  Featuring  Rodney  Petersen 

An  Experienced-Based  Maturity  Model  for  Software  Security: 

03.31 .2009  -  Featuring  Gary  McGraw 

Mainstreaming  Secure  Coding  Practices: 

03.17  2009  -  Featuring  Robert  Seaoord 

B  Security:  A  Key  Enabler  of  Business  Innovation: 

03  03  2009  -  Featuring  Roland  Cloutier 

J  Better  Incident  Response  Through  Scenario  Based  Training: 

02.17.2009  -  Featuring  Chris  May 

An  Alternative  to  Risk  Management  for  Informat  Ion  and  Software  Security 

tO  m  9000  .  ftwturinn  Brian  Chaste 


Waiting  forwww.cert.org. 
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For  more  than  20  years,  the  SEI  has  been 
at  the  forefront  of  software  engineering. 


By  becoming  an  SEI  Partner,  you  join  forces  with  a  software 
engineering  pioneer  and  an  institute  whose  credibility  provides 
a  solid  foundation  during  uncertain  economic  times. 

SEI  Partner  Network 

^  www.sei.cmu.edu/partners 
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V 


Do  you  have  th^knowledge  you  need? 


SEI  Training 

^  www.sei.cmu.edu/training 


——  Software  Engineering  Institute  CarnegieMelkm 


©  201 0  Carnegie  Mellon  University  76 


